How to identify a script sending spam through Postfix

You get information that your server is sending out spam emails. You have to find the source of the problem to fix it and stop it as soon as possible.
  1. Switch to a user with sudo rights
  2. Check the mail queue with command mailq
  3. The first column of the mail queue list shows unique mail ID's, pick one from an obvious spam email and copy it
  4. Check this email's details with command postcat -q <ID> using the unique mail ID you copied in place of <ID>
  5. Identify the line starting with "X-PHP-Originating-Script". This should show which script is generating the spam emails
  6. Remove the script, patch the website with latest security fixes and make sure folder and file permissions are secure
  7. Empty the mail queue with command postsuper -d ALL
  8. Check the mail queue again with command mailq to see if more emails are now generated. If the problem persists, repeat the above steps and see if you find other scripts causing you problems.
Ref: https://frontmag.no/artikler/utvikling/how-identify-script-sending-spam-through-postfix

Comments

Post a Comment

Popular posts from this blog

Backup & Restore Database as SQL Dump by SqlYog

Image
Direct Connection using MySQL C API (Sqlyog) → Download SQLyog Community Edition from this url and install /run https://github.com/webyog/sqlyog-community/wiki/Downloads fter you have connected to an instance of MySQL, you can make additional connections by selecting the New Connection option from the File menu. Saved Connections Select the connection name from the list. To rename a saved connection, click on the Rename button and edit the connection name and click save option to save the changed connection name. Other details can also be changed by selecting the particular connection, changing the necessary values and then by clicking on save to save those values. MySQL Host Address Specify a host name where the database is situated or the IP address of the server. User Name Specify a user name for connecting to the database server. Note: This is MySQL username...
Read more

Postfix can support per-domain outgoing IP addresses, but is not currently configured to do so

Sender Dependent Outgoing IP Address (Virtualmin) Introduction to Outgoing IPs By default, when your mail server sends out email the SMTP connection will come from the system's default IP address, typically that assigned to. eth0 Even if the email is from a domain that has its own private IP, that address will not be used when sending an email. This behavior can be changed on systems running Postfix version 2.7 and Virtualmin 3.94 or later so that outgoing email from a domain with a private IP address appears to come from that address. This can be useful for separating email from multiple domains as seen by other mail servers, or for setting up per-domain reverse DNS records. Initial Configuration This feature requires Postfix 2.7 (seen on most modern Linux distributions), Virtualmin 3.93 and ideally Webmin 1.600. The steps to set it up are as follows: SSH into the system as, root and edit the  /etc/postfix/main.cf  file. Look for a line starting with. sender...
Read more

How to download Virtual machine image of google cloud to local computer

======================================================================== Command to download Virtual machine image of google cloud to local computer. ======================================================================== 1.Download GoogleCloudSDKInstaller.exe and install in windows computer. 2.Configured Gcloud credential and region. 3.If you don't have any bucket then create one bucket to  store exported image. 4.Run below command in gcloud cli: gcloud compute images export --destination-uri gs://my-bucket/my-image.tar.gz \ --image my-image --project my-project or gcloud compute images export --destination-uri gs://my-bucket/my-image.tar.gz --image my-image --project_ My First Project 5. After finish, you can download the exported image of the virtual machine from gcloud bucket. ========================================================================
Read more